A broad coalition of national and state associations representing retailers and other merchants sent a letter this week to congressional leaders calling for federal legislation to establish a single national standard for notifying American consumers when a business suffers a breach of security involving financial data or other sensitive personal information.
The letter, signed by 44 organizations, urged Congress to pass comprehensive data security legislation that would apply to all businesses, including financial institutions, merchants, payment card processors, technology companies and telecommunications providers. The group supports federal legislation that would standardize and streamline data breach notification rules so the public is promptly informed when breaches occur.
“[A]ny legislation to address these threats must cover all of the types of entities that handle sensitive personal information,” the letter said. “Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit.”
Some data breach notification proposals being considered in Congress would only require merchants collecting payment card numbers to notify consumers of a breach while exempting other entities in the payments system, including card processors, financial services companies and telecommunications providers.
The merchant letter cited the annual Verizon 2014 Data Breach Investigations Report that showed retailers accounted for 10.8% of data breaches in 2013 while the financial services industry accounted for 34%.
While a vote on data breach legislation is not expected during the remaining weeks of this Congress, the merchant coalition insists that any new legislation cover all entities involved in the handling of consumers’ sensitive personal information.
“Consumers deserve to know when they are placed at risk regardless of where the risk arises. The public expects no less,” the letter observed. “Congress should act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur. However, legislation that would demand notice of some sectors while leaving others largely exempt will unfairly burden the former and unnecessarily betray the public’s trust.”
NRF has long supported federal legislation that would replace the varying breach notification laws in 47 states and four federal jurisdictions with a uniform national standard.